MrFlow: Why MrSpidey Failed

Philippe MeunierPaul Steckler

Value-flow Analysis

• Which values might an expression produce at run-time ?

• Where do they come from ?• Useful for

– debugging– optimization– security– soft-typing– etc…

• MrSpidey

From MrSpidey to MrFlow

• MrSpidey’s selector-based analysis framework is overly conservative

• Framework can be extended, but resulting analysis very slow

• Conditional-constraint-based framework gives faster analysis, results just as good

• Can be extended to support full language

MrFlow

Languages

• Lambda calculus (for a start):V = c | ( x . E) | (cons V V) E = x | V | (E E) | (car E) | (cdr E)

• Constraint language: = | c | | pair

| dom() | rng() | car() | cdr()

• Constraints: 3 dom()

Analysis

• Derivation phase: analyze terms and create constraints

• Propagation phase: create new constraints from old ones

Derivation

(( x . x) 3)App

Derivation

(( x . x) 3)App

Derivation

(( x . x) 3)App

x : Envx :

Derivation

(( x . x) 3)App

x : Env

Env(x)

x :

x

Derivation

(( x . x) 3)App

x : Env

Env(x)

, dom , rng()

x :

x

Derivation

(( x . x) 3)App

x : Env

Env(x)

, dom , rng()

3

x :

3

x

Derivation

(( x . x) 3)App

x : Env

Env(x)

, dom , rng()

3

dom(), rng()

x :

x

3

Derivation

(( x . x) 3)App

x : Env

Env(x)

, dom , rng()

3

dom(), rng()

x :

x

3

Propagation

3 , dom(), dom , , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

3 , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

3 , rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

3 , rng(), rng() ,

3 rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

3 , rng(), rng() ,

3 rng(), rng() ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

3 , rng(), rng() ,

3 rng(), rng() ,

3 ,

Propagation

3 , dom(), dom , , rng(), rng() ,

3 dom(), dom , , rng(), rng() ,

3 , , rng(), rng() ,

3 , rng(), rng() ,

3 rng(), rng() ,

3 ,

• 3 is the result of the application

• Rules from Flanagan (1997), based on Heintze (1994)

Limitations

• We want to handle multiple arguments(lambda (x y) 1)

• Analysis: only one argument

MrSpidey: pack all the argumentsin a list (tuple) and hopefor the best.

Limitations

• We want to handle rest arguments(lambda (x y . z) 1)

• Analysis: only one argument

MrSpidey: all the arguments arealready in a list, nothingmore to do.

Limitations

• We want to handle case-lambda (overloading by arity)

(case-lambda [(x) 1] [(x y) 2])

– part of PLT Scheme and used– used also in expansion of opt-lambda– will replace lambda

• Analysis: only one clause MrSpidey: flow in and out of all

clauses regardless of arity.

Limitations

• Arity error detected• String still flows into x and out of the

function to create other error

Limitations

• 42 flows into x and y• z is empty

Limitations

• Second clause is unreachable• 64 still flows into second clause

Limitations

• Results of both clauses flow out, even though only first clause matches

Limitations

• Correct but too conservative Spurious errors

Solution: annotated selectors

• Extend framework: annotations to dom and rng selectors

• Specify:– argument position in a clause ( and app)

domj()– total number of arguments (app)

domj,n()– if clause has rest argument ( and app)

dom[i,]j,n()

– arities of previous clauses ()dom([i,],(I1,I2,...))

j,n()

Solution: annotated selectors

• Direct extension of old MrSpidey rules

• Computes strictly better results (solves all the previously shown problems)

• Resulting framework extremely complex

dom([i,],(I1,I2,...))j,n()

Performance

• MrSpidey– O(n) set expressions O(n2) constraints– for a given constraint matching the

premise of a rule: O(n) constraints matching the other premise

O(n3)

Performance

• Annotated selectors– O(n2) set expressions O(n4) constraints

• selectors only on one side of constraint O(n3)

• shape of propagation rules limits number of new constraints created O(n2) constraints

– for a given constraint matching the premise of a rule:• O(n) constraints matching the other premise• O(n) for matching arities• O(n) for encoding constraints (prevent

duplicates)

O(n5)

Performance

• Test programs:(define f(case-lambda

[(a) a][(a b) a][(a b c) a]))

((f (f (f f))) f f f)

• DrScheme v103• UltraSPARC II, 2 GB RAM, 300 MHz

Performance

• MrSpidey: O(n2.4)• Analysis with annotations: O(n2.9)• Still outperforms MrSpidey on some tests

Performance

• Many more constraints• Search for match and annotations

encoding slow• When a function propagates, the

dom and rng selectors have to propagate with it

dom , dom

• Use different framework: conditional constraints instead of selectors

Languages

• Lambda calculus (for a start): V = c | ( x . E) | (cons V V)

E = x | V | (E E) | (car E) | (cdr E)

• Set of values for term labeled with : ()• Compound labels: ( ’), (cons ’)• Constraints:

– ’ () (’) ()– If ’ () then …

• Based on Palsberg and Schwartzbach (1994)

Derivation

(( x1 . x2)3 34)5App

Derivation

App

(( x1 . x2)3 34)5

Derivation

App

x : 1 Env

x : 1

(( x1 . x2)3 34)5

x 2

Derivation

App

x : 1

(( x1 . x2)3 34)5

x : 1 Env

1 Env(x)

(1) (2)

3

x : 1 Env

1 Env(x)

(1) (2)

( 1 2) (3)x 2

Derivation

App

x : 1

(( x1 . x2)3 34)5

3 43

x : 1 Env

1 Env(x)

(1) (2)

( 1 2) (3)

4 (4)

x 2

Derivation

App

x : 1

(( x1 . x2)3 34)5

5

3 43

x : 1 Env

1 Env(x)

(1) (2)

( 1 2) (3)

4 (4)

If ( ’) (3)

then (4) ()

(’) (5)

x 2

Derivation

App

x : 1

(( x1 . x2)3 34)5

5

3 43

x : 1 Env

1 Env(x)

(1) (2)

( 1 2) (3)

4 (4)

If ( ’) (3)

then (4) ()

(’) (5)

x 2

Derivation

App

x : 1

(( x1 . x2)3 34)5

5

3 43

x : 1 Env

1 Env(x)

(1) (2)

( 1 2) (3)

4 (4)

If ( ’) (3)

then (4) ()

(’) (5)

(4) (1)

(2) (5)

x 2

Derivation

App

x : 1

(( x1 . x2)3 34)5

Derivation

• Propagate as we derive• Conditional constraints:

– Actual arguments flow directly into formal arguments

– Value of body of function flows directly out into result of application

– Function represented by compound label and only that needs to flow

• Results just as good

Performance

• O(n) constraints created• O(n2) possible flows• O(n) possible values to flow O(n3)

• Analysis with conditional constraints: O(n1.04)

Extending the analysis

• MrSpidey analyses PLT Scheme (v103)

• We want at least R5RS Scheme to compare

Extending the analysis

• Cannot have a derivation rule for each primitive– specify a type for each primitive+ : (case-lambda

[() 0] [(rest number (listof number))

number])))

– rules to transform type into set of constraints

– mutators implemented as special case

• All R5RS primitives implemented

Extending the analysis

• Other language constructs (if, let, letrec, begin)– simple extensions

• Multiple values– implemented as tuples– must restrict set inclusion for “in” flows (’) () becomes (’) v () performance loss

Extending the analysis

• Set!(define x 1)(define f (lambda () (set! x 2)))x(f)x

– We want a conservative but good approximation

– Need to delay set! until f applied Add extra information to compound

label

Extending the analysis

• Generative structures– not R5RS Scheme, but needed for PLT

Scheme

(define f (lambda () (define-struct foo (a b))))

– New structure type each time f is applied

– define-struct is a macro ad-hoc rule

Performance

• Extended analysis with conditional constraints: O(n1.07)

• DrScheme v200• Real programs: still faster (except type

checking), need more data.

Conclusion

• MrSpidey works fine, but framework limited

• framework can be extended• Annotations make analysis very slow• Conditional-constraint-based analysis

faster, results just as good• Can be extended to support full

language• MrFlow to replace MrSpidey